[Top] [All Lists]

Re: Restarting the 40-bit debate

1997-05-08 15:03:42
Thank you for making an effort to stay on topic.

At 1:38 PM -0700 5/8/97, Keith Moore wrote:
Is there something wrong with the spec? Does it force weak

I realize you're trying to keep the flames down, but let me suggest
that these two questions are not equivalent.

I didn't mean to indicate that they were equivalent. In fact, they are
clearly two very different questions, and I want answers to both of them.

 Furthermore, the latter
question is not terribly relevant, and addressing that question
diverts attention from more important issues.

Huh? Not terribly relevant? Any spec that forces weak cryptography should
be rejected out of hand. There were earlier assertions on this list that
the spec forced people to use weak cryptography. I believe those assertions
are false, and tried as hard as possible to word the section so that
everyone could see that it doesn't force weak cryptography.

The interesting question is not "Does the spec force weak cryptography?"

I disagree. This is a vitally important question.

The questions to ask are more on the order of:

a. Will the protocol do what it claims to do?
  (e.g. does it really provide assurances of authentication and/or

Good question, and I say the answer is yes on both. No one has said otherwise.

b. Will it provide adequate security for general-purpose use?
  (and if not, what is the intended scope of use, and is that
  scope sufficiently broad to warrant Internet standards-track

Another good question, and again I say yes. The only time that weak
encryption is mandated is if all of the following conditions are met; in
any other case, strong encryption can be used. The set of qualifications
for being forced to use weak encryption are:

- A willingness on the part of the sender to use weak encryption
- No knowledge on the sender's part of the recipient's encryption capabilities
- An absolute unwillingness to risk decryption on the message

The combination of the last two says something to the effect of: "I don't
know you, but somehow I know that you use S/MIME. Even though we've had no
previous authenticated S/MIME interaction, I want to send you a secret
message that you must be able to decrypt on the first try, and I'm willing
to use weak cryptography to do it because I know that you might only be
capable of using weak cryptography as well."

As you can tell, this a highly limited case and not terribly likely in
human-to-human email environments. It requires some pretty odd out-of-band
knowledge: you know that the recipient is running S/MIME but you don't know
the recipient's capabilities. This means that you somehow know that they
are running S/MIME even though you've never gotten a signed or encrypted
message from them. *And* you want to send them a piece of encrypted mail
that they must be able to decrypt.

In all other cases, you will have knowledge of the recipient's capabilities
and you can use that knowledge to send the strongest encryption possible.

So, yes, it will provide adequate security for general-purpose use. In
fact, it will provide *strong* security for general-purpose use.

--Paul E. Hoffman, Director
--Internet Mail Consortium